CVE-2022-4361

CWE-81 CWE-79 — Cross-site Scripting (XSS)7 documents6 sources

Severity

6.1MEDIUM

EPSS

1.3%

top 20.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Single Sign-on Redhat Openshift Container Platform +2 more

Timeline

PublishedJul 7

Latest updateAug 25

Description

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

▶NVDredhat/keycloak< 21.1.2

▶Mavenorg.keycloak:keycloak-services< 21.1.2

▶NVDredhat/single_sign-on7.6 — 7.6.4

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers↗2023-07-07

▶

OSV

Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC↗2023-06-30

▶

GHSA

Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC↗2023-06-30

▶

📋Vendor Advisories

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4361↗2023-08-25

▶

Red Hat

RHSSO: XSS due to lax URI scheme validation↗2023-06-27

▶